Twitter Hacked; Company Says 250K Users May Have Been Affected

Illustration: @YiyingLu via Twitter

Following a string of revelations this week from several media companies who announced they had been recently hacked, Twitter announced on Friday that it had also been the target of a sophisticated attack.

The company wrote in a blog post ironically titled “Keeping our users secure” that it detected unusual patterns this week that led it to identify attempts to access user data.

“We discovered one live attack and were able to shut it down in process moments later,” wrote Bob Lord, Twitter’s director of information security. “However, our investigation has thus far indicated that the attackers may have had access to limited user information — usernames, email addresses, session tokens and encrypted/salted versions of passwords — for approximately 250,000 users.”

As a result, the company said it had reset passwords and revoked session tokens for the accounts suspected of being affected. The company also sent an e-mail to affected users informing them that their old password was no longer valid and that they would need to create a new one.

The email, forwarded to Wired by one reader who received one, reads:

“Twitter believes that your account may have been compromised by a website or service not associated with Twitter,” it reads. “We’ve reset your password to prevent others from accessing your account.”

The email also warns users to “Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.”

Lord did not explain how the attackers got in and accessed the data, but said that he did not believe Twitter was the only company targeted.

“This attack was not the work of amateurs, and we do not believe it was an isolated incident,” he wrote. “The attackers were extremely sophisticated, and we believe other companies and organizations have also been recently similarly attacked. For that reason we felt that it was important to publicize this attack while we still gather information, and we are helping government and federal law enforcement in their effort to find and prosecute these attackers to make the Internet safer for all users.”

Twitter recently began bulking up its security team with a number of high-profile hires. In 2011 noted white hat hacker and security pro Moxie Marlinspike joined Twitter after the company acquired his mobile encryption firm Whisper Systems. Last September, Marlinspike helped bring on board fellow noted white hat hacker and researcher Charlie Miller.

Just two weeks ago, however, Marlinspike announced that he was leaving Twitter.

Twitter’s hack announcement Friday comes in a week crowded with announcements about media companies that have been hacked. On Thursday, the New York Times revealed that hackers, who had been inside its network for at least four months, had succeeded to steal the usernames and passwords of all of its employees in an apparent attempt to identify sources and gather other intelligence about stories related to the family of China’s prime minister.

The hackers also broke into the email account of the newspaper’s Shanghai bureau chief, David Barboza, who conducted the investigation, as well as the email account of Jim Yardley, the paper’s South Asia bureau chief in India, who had previously worked out of Beijing.

The Times report indicated that the attack was part of a wave of attacks that appeared to come from China and were targeted against western media outlets.